Johnson & Johnson’s insulin pump is totally hackable

Johnson & Johnson has warned its customers about a security vulnerability in one of its insulin pumps. If the flaw in the Animas OneTouch Ping insulin pump was exploited, it could allow an attacker to deliver a potentially fatal overdose of insulin.

The warnings were mailed to 114,000 customers throughout the United States and Canada, as well as doctors who might prescribe the device. It is believed that it is the first time a pharmaceutical company has warned its customers about a security vulnerability.

Johnson & Johnson were eager to emphasize that the chance of someone executing the vulnerability is “extremely low.”

“It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network.”

The company said that if customers were concerned, they could take a number of steps in order to negate any risk. These include discontinuing use of the accompanying wireless remote, and programming the pump to limit the maximum dose of insulin.

The flaw in the device was identified by Jay Radcliffe, a security researcher with Rapid 7 who himself is diabetic.

He identified that communications between the pump and the remote were not encrypted or scrambled. This means that is possible for an attacker to spoof communications between the two components. This attack can be performed from a distance of 25 feet.

More and more medical devices are incorporating digital elements. This allows greater precision and automation. But it’s inevitable that we will see more and more security threats, which could potentially have life threatening consequences.